I just tried to access a reputable web site that issues its own SSL certs and got this warning message from IE6:
"You are about to install a certificate from a CA claiming to represent www.x9.org. Windows cannot validate that the certificate is actually from www.x9.org. You should confirm its origin by contacting www.x9.org. The following number will assist you in this process: Thumbprint (sha1): 8FBF6185 1D390508 F04BA0CB 31F4C4C E5310DAE.
"Installing a certificate with an unconfirmed thumbprint is a security risk. If you click Yes you acknowledge this risk. Do you want to install this certificate?"
I'm a security professional and even I find this message very hard to understand and almost completely unactionable. An ordinary user would ask:
* What is a certificate?
* What does CA mean?
* What is a thumbprint? Does it have something to do with my thumb? Should place my thumb on my laptop's finger sensor?
* What does SHA1 stand for?
* How should I interpret the mysterious code 8FBF6185 1D390508 F04BA0CB 31F4C4C E5310DAE?
* How do I contact www.x9.org? All I have is their web URL, and I can't access that unless I click Yes on this dialog box!
* What risk am I actually being asked to accept here? i.e. what are the potential consequences of clicking Yes?
I'm not trying to pick on a particular vendor or product (honestly) but I think this message is emblematic of what's wrong with current browser security indicators. I hope it's within scope of WSC charter to address this sort of thing, because browser context issues clearly run much deeper than padlocks or color coded address bars.
>Michael McCormick, CISSP
>Lead Architect, Information Security
>Wells Fargo Bank
>255 Second Avenue South
>MAC N9301-01J
>Minneapolis MN 55479
>*>> 612-667-9227 (desk) * 612-667-7037 (fax)
>( 612-590-1437 (cell) :-) michael.mccormick@wellsfargo.com (AIM)
>* 612-621-1318 (pager) * michael.mccormick@wellsfargo.com
>
>“THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS FARGO"
>This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>